From 0a53c4a6da057d7679347a14ae73a378a432ba48 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 28 Jun 2021 15:03:09 +0200
Subject: [inc/User] Make sure user has a token

---
 inc/user.inc.php | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

(limited to 'inc')

diff --git a/inc/user.inc.php b/inc/user.inc.php
index e89a4355..cf9c38c0 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -7,7 +7,7 @@ class User
 
 	private static $user = false;
 
-	public static function isLoggedIn()
+	public static function isLoggedIn(): bool
 	{
 		return self::$user !== false;
 	}
@@ -113,6 +113,9 @@ class User
 		if (self::isLoggedIn())
 			return true;
 		if (Session::load()) {
+			if (empty(Session::get('token'))) {
+				self::generateToken();
+			}
 			$uid = Session::getUserId();
 			if ($uid < 1)
 				self::logout();
@@ -150,15 +153,7 @@ class User
 		if (!Crypto::verify($pass, $ret['passwd']))
 			return false;
 		Session::create($ret['passwd'], $ret['userid'], $fixedIp);
-		Session::set('token', md5($ret['passwd'] . ','
-			. rand() . ','
-			. time() . ','
-			. rand() . ','
-			. $_SERVER['REMOTE_ADDR'] . ','
-			. rand() . ','
-			. $_SERVER['REMOTE_PORT'] . ','
-			. rand() . ','
-			. $_SERVER['HTTP_USER_AGENT']), false);
+		self::generateToken($ret['passwd']);
 		return true;
 	}
 
@@ -187,4 +182,17 @@ class User
 		return self::$user['lasteventid'];
 	}
 
+	private static function generateToken($salt = '')
+	{
+		Session::set('token', md5($salt . ','
+			. rand() . ','
+			. time() . ','
+			. rand() . ','
+			. $_SERVER['REMOTE_ADDR'] . ','
+			. rand() . ','
+			. $_SERVER['REMOTE_PORT'] . ','
+			. rand() . ','
+			. $_SERVER['HTTP_USER_AGENT']), false);
+	}
+
 }
-- 
cgit v1.2.3-55-g7522